EternalRocks – The New and More Sophisticated ‘Doomsday’ Worm

The blackhats have created a new strain of malware that targets the same vulnerability as the WannaCry ransomware from the first week of May.

The Malware is called as EternalRocks, which uses the same flaw in Microsoft’s SMB networking protocol to infect other Windows systems that haven’t yet been patched with MS17-010. However, this new malware is far deadlier than WannaCry.

WannaCry Ransomware created havoc and tensions around the globe in the first half of May 2017. This ransomware just used 2 NSA hacking Tools ETERNALBLUE to compromise a machine and DOUBLEPULSAR to move around the network to find its victim and infect. Discovery of this new worm is spreading via SMB. It uses 7 NSA hacking tools which are leaked by a mysterious group calling themselves Shadow Brokers.

EternalBlue — SMBv1 exploit tool

EternalRomance — SMBv1 exploit tool

EternalChampion — SMBv2 exploit tool

EternalSynergy — SMBv3 exploit tool

SMBTouch — SMB reconnaissance tool

ArchTouch — SMB reconnaissance tool

DoublePulsar — Backdoor Trojan

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations which are used to scan for active SMB ports.

EternalRocks fake itself as WannaCry to fool security researchers, but instead of dropping ransomware and encrypting the user files, it gains unauthorized control on the affected computer to launch future cyber attacks. The victim is always a prey for attacks until the malware is found and taken required steps to eradicate such threat.

Now let’s see how the attack takes place

Infection of EternalRocks takes place in two stages.

In the first stage, malware entering a machine downloads necessary .NET components TaskScheduler and SharpZLib from the internet while droppingsvchost.exe and taskhost.exe. Component svchost.exe used for downloading, unpacking and running Tor from archive.torproject.org along withC&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions.

After infection, in the second stage, the malware taskhost.exe downloads after a predefined period (usually 24hrs) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and execute. After initial execution, it drops a bunch ofexploits through shadowbrokers.zip and unpacks the directories payloads/, configs/ and bins/. After that, it starts a random scan of opened 445 (SMB) ports on the internet while running contained exploits (available inside bins/) and pushing the first stage malware through payloads (inside payloads/ – shown in the image below). Also, it expects running Tor process from the first stage to get further instructions from C&C.

Once compromised with ETERNALROCKS the system can be used for any future attacks. It may cause damage beyond imagination. Saner will detect this threat easily.

Saner caught this malware with Indicators (as seen in the image below).

The threats are detected in Viser.

EternalRocks can be weaponized instantly. Because of its larger exploit arsenal, the lack of a detection and remediation, and because of its initial inactive state, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else.